Security Disclosure Debate Reignites

Online security consultancy Spi Dynamics has sparked a new debate over the responsible handling of vulnerability warnings with the release of an alert for multiple security holes in the Sun ONE Application Server 7.0.

The Atlanta-based Spi Dynamics issued the warning without the availability of a patch or workaround from Sun Microsystems. A spokesperson for Sun confirmed the existence of the security holes and said one of the bugs has already been fixed in Update 1 of Application Server 7.0.

“We’re aware of the security issues and have fixes underway. The other three bugs will be fixed in Update 2, expected to be available in August,” the spokesperson said.

However, a JSP source code disclosure vulnerability which carries a “High” severity rating is still unpatched.

According to Spi Dynamics CEO Brian Cohen, the decision to release the information was made after several unsuccessful attempts to reach Sun’s security unit.

“We made numerous efforts to contact Sun and work with them on a fix for these issued but they never responded. We followed all the necessary disclosure procedures and notified Sun since March 18. We had no choice but to go public because, in this case, the vendor was completely unresponsive. We have a responsibility to the public at large to disclose this vulnerability,” Cohen said in an interview.

Cohen said it was “unacceptable” for a software vendor the size of Sun Microsystems to be unresponsive to security warnings from researchers. Since March 18, Cohen said Sun’s security unit responded once to say the holes were being patched but they needed time because the developer was on vacation. Since then, he said numerous attempts to get an update from Sun were unsuccessful.

The Sun spokesperson denied Cohen’s claim. “Spi was notified in previous communications of Sun’s plan to fix these bugs,” she said.

Meanwhile, the serious JSP vulnerability won’t be fixed until Sun issues Update 2 for the product in August. However, the spokesperson said Sun would make the fix available upon request prior to general availability of the update. “Customers can contact Sun through their normal support channels to obtain the fix,” she said.

The latest controversy comes on the heels of a public spat between the Apache Software Foundation (ASF) and the Internet Security Systems (ISS) over the way a warning about a security hole in the Apache HTTP Server was handled.

In that case, an easy-to-use exploit for the hole was circulating on the Internet before Apache got a chance to plug the vulnerability. Apache officials were upset they weren’t first notified before the ISS issued its advisory, a normal procedure when bugs are detected. Since then, Apache has taken a proactive approach to issuing updates to avoid embarrassment.

Gartner security analyst John Pescatore rapped Sun for being notoriously slow to fix known holes in its products. “In this day and age, if a consultant finds a vulnerability and notifies the vendor, two weeks is reasonable time to make a patch available,” Pescatore said. In some cases, vendors can request more time to get a fix ready but, if its drags on for more than a month, Pescatore said the researcher has no option but to release the information.

“Anything more than a month is just dragging things on too long and setting up a ‘Day Zero’ situation,” he declared, noting that Spi Dynamics has a history of being very responsible about reporting vulnerabilities.

“If you go back a number of years, before Solaris, when Sun had the most popular operating system for servers connected to the Internet, Sun would go six months without fixing a vulnerability. Back then, no one publicized these things so it was not a huge deal. But, in this day and age, that’s not going to happen,” Pescatore said.

He said the latest controversy underscores the need for an acceptable protocol for cooperation between independent researchers and software vendors. “In general, the communication has worked well but there are times when it could be improved.”

Back in 2002, Pescatore said Microsoft tried to get a group of software vendors together to define a protocol via an Internet RFC but that proposal got bogged down because too many consultants mistrusted Microsoft.

There is a feeling that pressure for independent researchers could be a good thing. “If the vendors didn’t have this pressure from the consultancies, then they just wait too long to come out with a patch. I think the tension has its benefits,” Pescatore declared.